JAAS Example and ACL example

[erinn]

Could you folks document a JAAS example? It would be much appreciated. Same with an ACL example.

Thanks, -Erinn

[kamaradclimber]

@erinn here is what we use internally for jaas

default['rundeck_server']['jaas'] = [
  {
    module:  'org.eclipse.jetty.plus.jaas.spi.PropertyFileLoginModule',
    flag:    'sufficient',
    options: {
      debug:  'true',
      file:   ::File.join(node['rundeck_server']['confdir'], 'aboten.properties'),
    },
  },
  {
    module:  'com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule',
    flag:    'required',
    options: {
      # Connection and module settings
      debug:                 'true',
      contextFactory:        'com.sun.jndi.ldap.LdapCtxFactory',
      cacheDurationMillis:   '300000',
      supplementalRoles:     'CRITEO_Users',
      reportStatistics:      'true',
      # ActiveDirectory in DC
      providerUrl:           "ldaps://#{dc}.ad.criteo.#{env}:636",
      authenticationMethod:  'simple',
      forceBindingLogin:     'true',
      # Users are under FimUsers
      userBaseDn:            "OU=FimUsers,DC=#{dc},DC=ad,DC=criteo,DC=#{env}",
      userRdnAttribute:      'sAMAccountName',
      userIdAttribute:       'sAMAccountName',
      userPasswordAttribute: 'unicodePwd',
      userObjectClass:       'user',
      # Roles are under FimGroups
      roleBaseDn:            "OU=FimGroups,DC=#{dc},DC=ad,DC=criteo,DC=#{env}",
      roleNameAttribute:     'cn',
      roleMemberAttribute:   'member',
      roleObjectClass:       'group',
      rolePrefix:            '',
    },
  },
]

fallback = {'user' => 'test', 'password' => 'wrongPassw0rd'} if node.chef_environment == '_default'
ldap_secrets = chef_vault_item_or_default('shared_secrets', 'ldap_read', fallback)
secret['rundeck_server']['jaas'][1][:options][:bindDn]        = "CN=#{ldap_secrets['user']},OU=FimServices,DC=#{dc},DC=ad,DC=criteo,DC=#{env}"
secret['rundeck_server']['jaas'][1][:options][:bindPassword]  = ldap_secrets['password']

Since rundeck-server is simply reading all attributes to create files, you'll find good documentation on rundeck server.

[kamaradclimber]

Here is an example of acl definition:

default['rundeck_server']['aclpolicy']['admin'] = [{
  description: 'Admin, all access.',
  context: { project: '.*' },
  for:     { resource: [{ allow: '*' }], adhoc: [{ allow: '*' }], job: [{ allow: '*' }], node: [{ allow: '*' }] },
  by:      { group: ['Gu-Core'] },
}, {
  description: 'Admin, all access.',
  context: { application: 'rundeck' },
  for:     { resource: [{ allow: '*' }], project: [{ allow: '*' }], storage: [{ allow: '*' }] },
  by:      { group: ['Gu-Core'] },
}]

#
# RunDeck Administrators API group (Based on Rundeck default api_token_group)
#
default['rundeck_server']['aclpolicy']['apitoken'] = [
{
  description: 'Admin API project level access control',
  context: { project: '.*' },
  for: {
    resource:[
      {equals: {kind: 'job'},   allow: ['create', 'delete']},
      {equals: {kind: 'node'},  allow: ['read', 'create', 'update', 'refresh']},
      {equals: {kind: 'event'}, allow: ['read', 'create']}
    ],
    adhoc: [{allow: ['read', 'run', 'runAs', 'kill', 'killAs']}],
    job:   [{allow: ['create', 'read', 'update', 'delete', 'run', 'kill']}],
    node:  [{allow: ['read', 'run'] }]
  },
 by: {group: 'api_token_group'}
},
{
  description: 'Admin API Application level access control',
  context: { application: 'rundeck' },
  for: {
    resource: [
      {equals: {kind: 'system'}, allow: ['read', 'enable_executions', 'disable_executions', 'admin']}
    ],
    project: [{match: {name: '.*'},             allow: ['read']}],
    storage: [{match: {path: '(keys|keys/.*)'}, allow: '*'}]},
 by: { group: 'api_token_group'}
}]